Karl discovered a bug in the CORS protocol. We do not specify what
happens for a 304 response that does not have CORS headers. If we
follow the logic from redirects, we ought to require CORS headers in
that scenario.
Firefox does this. Chrome does not.
I want to nail this down in the 304 bit of
http://fetch.spec.whatwg.org/ at some point. I thought I'd raise it
here to see what people think.
--
http://annevankesteren.nl/